b"                               U.S. DEPARTMENT OF ENERGY\n                              OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                   REPORT ON MATTERS IDENTIFIED AT THE\n                        OAKLAND OPERATIONS OFFICE\n              DURING THE AUDIT OF THE DEPARTMENT OF ENERGY'S\n            CONSOLIDATED FISCAL YEAR 1998 FINANCIAL STATEMENTS\n\n\n\n\nThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\nInternet at the following addresses:\n\n\n            U.S. Department of Energy Management and Administration Home Page\n                                  http://www.hr.doe.gov/ig\n                                             or\n                                   http://www.ma.doe.gov\n\n                 Your comments would be appreciated and can be provided on the\n        Customer Response Form attached to the report. This report can be obtained from the:\n\n                                   U.S. Department of Energy\n                          Office of Scientific and Technical Information\n                                           P.O. Box 62\n                                  Oak Ridge, Tennessee 37831\n\n\n\n\nReport Number: WR-FS-99-04                                      Western Regional Audit Office\nDate of Issue: May 17, 1999                                     Albuquerque, New Mexico 87185\n\x0c                  REPORT ON MATTERS IDENTIFIED AT THE\n                       OAKLAND OPERATIONS OFFICE\n             DURING THE AUDIT OF THE DEPARTMENT OF ENERGY'S\n           CONSOLIDATED FISCAL YEAR 1998 FINANCIAL STATEMENTS\n\n\n                                 TABLE OF CONTENTS\n\n                                                                                         Page\n\n           SUMMARY\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 ..\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6                  1\n\nPART I -   APPROACH AND OVERVIEW\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 ..\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6                    2\n\n           Introduction\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 ..\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .            2\n\n           Scope and Methodology\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 ....            2\n\n           Observations\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 ..\xe2\x80\xa6 .            3\n\nPART II - AUDIT RESULTS\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .\xe2\x80\xa6                   4\n\n           Computer Network Security\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .\xe2\x80\xa6 .            4\n\nPART III - STATUS OF PRIOR YEAR OPEN FINDINGS AND RECOMMENDATIONS                         5\n\n           Collection of Accounts Receivable from Other Federal Agencies\xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .\xe2\x80\xa6 ..\xe2\x80\xa6 .    5\n\x0c                            U.S. DEPARTMENT OF ENERGY\n                            OFFICE OF INSPECTOR GENERAL\n                              OFFICE OF AUDIT SERVICES\n                           WESTERN REGIONAL AUDIT OFFICE\n\n\n                   REPORT ON MATTERS IDENTIFIED AT THE\n                        OAKLAND OPERATIONS OFFICE\n              DURING THE AUDIT OF THE DEPARTMENT OF ENERGY'S\n            CONSOLIDATED FISCAL YEAR 1998 FINANCIAL STATEMENTS\n\n\nAudit Report Number: WR-FS-99-04\n\n                                           SUMMARY\n\n       The Government Management Reform Act of 1994 requires that the Department of\nEnergy (DOE) annually submit audited financial statements to the Office of Management and\nBudget (OMB). A DOE-wide audit was conducted to determine whether there was reasonable\nassurance that DOE's consolidated Fiscal Year (FY) 1998 financial statements were free of\nmaterial misstatements. We conducted a portion of the DOE-wide audit at the Oakland\nOperations Office (Oakland) and its management and operating contractors.\n\n        The audit at Oakland and its contractors disclosed deficiencies in computer network\nsecurity. In addition, Oakland had not completed corrective actions on a prior finding related to\ndelinquent federal receivables.\n\n      We recommended that improvements be made to computer network security.\nManagement agreed with the finding and recommendations and initiated corrective actions.\n\n\n\n                                                      _____(Signed)__________\n                                                      Office of Inspector General\n\x0c                                               PART I\n\n                                  APPROACH AND OVERVIEW\n\nINTRODUCTION\n\n       The Government Management Reform Act of 1994 requires that audited financial\nstatements covering all accounts and associated activities of DOE be submitted annually to\nOMB. A DOE-wide audit of the consolidated FY 1998 financial statements was conducted by\nexamining internal controls, assessing compliance with laws and regulations, evaluating\naccounting transaction cycles, and testing selected account balances at various DOE facilities.\n\n        The objective of the DOE-wide audit was to determine whether the DOE consolidated\nfinancial statements presented fairly, in all material respects, the financial position of DOE as of\nSeptember 30, 1998 and 1997, and its consolidated net cost, changes in net position, budgetary\nresources, financing activities, and custodial activities for the fiscal years then ended in\nconformity with federal accounting standards. DOE-wide issues are addressed in Audit Report\nNo. DOE/IG-FS-99-01, issued on February 25, 1999.\n\n        The purpose of this report is to inform Oakland management of matters that came to the\nattention of the Office of Inspector General (OIG) during the audit of Oakland and its contractors.\nOakland is responsible for the account balances entered into DOE's core accounting system.\n\nSCOPE AND METHODOLOGY\n\n        The audit was conducted from April 1998 through January 1999 at the Oakland\nOperations Office, Oakland, California; Lawrence Livermore National Laboratory, Livermore,\nCalifornia; and Lawrence Berkeley National Laboratory, Berkeley, California. Specifically, we\nexamined internal controls, assessed compliance with applicable laws and regulations, and\nselectively tested account balances reported to DOE Headquarters as necessary to achieve DOE-\nwide audit objectives.\n\n         The audit was performed in accordance with generally accepted Government auditing\nstandards for financial audits. Since we relied on computer-generated data, we evaluated the\ngeneral and application control environment of certain financial systems and evaluated the\nreliability of the data on a test basis.\n\n        Because the audit was limited, it would not necessarily disclose all of the internal control\nweaknesses that may have existed. Furthermore, because of inherent limitations in any system of\ninternal controls, errors or irregularities may nevertheless occur and not be detected. The issues\naddressed in this report represent our observations of activities through the end of fieldwork on\nJanuary 5, 1999. Projection of any evaluation of the internal controls to future periods is subject\nto the risk that procedures may become inadequate because of changes in conditions or that the\neffectiveness of the design and operation of policies and procedures may deteriorate.\n\n                                                  2\n\x0c         In addition to the audit work conducted by the OIG, internal audit personnel and an\nindependent public accounting firm reviewed certain cycles. Lawrence Livermore National\nLaboratory (Livermore) internal audit personnel reviewed the Payroll Cycle and reported the\nresults to its own management in a separate report. There were no findings issued as a result of\nthe payroll review. An independent accounting firm reviewed the Overview, Disbursements,\nFinancing and Revenue, and Pension and Other Post-Retirement Liabilities cycles. The\naccounting firm also evaluated computer network security at Oakland and Lawrence Berkeley\nNational Laboratory (Berkeley).\n\n       The OIG considered all findings, generated as a result of these reviews, when preparing\nthe DOE-wide report and the management report referred to in that report. The OIG is\naddressing issues requiring local management's attention in this report. Oakland management\nwaived the exit conference.\n\nOBSERVATIONS\n\n        We observed internal control deficiencies in computer network security at Oakland and\nBerkeley. We recommended that Oakland take immediate action to strengthen computer\nnetwork security at both locations. Management concurred with the recommendations and took\ncorrective actions. Oakland had not completed corrective actions on one finding contained in the\nprior year's report.\n\n      Part II of this report provides additional details concerning the audit results and\nmanagement's comments. Part III provides the status of a prior year open finding and\nrecommendations.\n\n\n\n\n                                                 3\n\x0c                                            PART II\n\n                                       AUDIT RESULTS\n\nComputer Network Security\n\n       Federal and DOE directives require that procedures be developed and implemented to\nprevent misuse and abuse of unclassified computer resources. Included are access controls, such\nas passwords and user identifications, to limit or detect access to computer programs, data,\nequipment, and facilities. However, Oakland controls were insufficient to limit access to\ncomputing resources and to detect unauthorized access. At Berkeley, there were weaknesses in\nmonitoring computer security and correcting identified weaknesses. As a result, computer\nnetworks and components at both locations were vulnerable to unauthorized access, modification,\nand loss or disclosure of data.\n\nRecommendations\n\n       We recommend that:\n\n       1. Oakland take immediate action to strengthen its computer network security; and,\n\n       2. The Oakland Manager direct Berkeley to strengthen its computer network security.\n\nManagement Comments\n\n        Oakland agreed with both recommendations and stated that it had completed corrective\nactions to its system. Oakland also stated that Berkeley would complete its corrective actions by\nAugust 1999.\n\nAuditor Comments\n\n        The comments provided by Oakland management are responsive to the intent of our\nrecommendations. We plan to conduct follow-up reviews of management's effort to correct the\nconditions described and assess the effectiveness of corrective actions as part of our audit of\nDOE's FY 1999 consolidated financial statements.\n\n\n\n\n                                                4\n\x0c                                            PART III\n\n         STATUS OF PRIOR YEAR OPEN FINDING AND RECOMMENDATIONS\n\n        This section provides the status of an open finding reported in the Report on Matters\nIdentified at the Oakland Operations Office During the Audit of the Department's Consolidated\nFiscal Year 1997 Financial Statements (Report Number WR-FS-98-05; July 8, 1998). This\nfinding is still pending resolution or requires further attention.\n\nCollection of Accounts Receivable from Other Federal Agencies\n\n        Oakland had not implemented DOE's debt collection procedures for collecting delinquent\naccounts receivable from other federal agencies. We recommended that Oakland (1) request\nguidance from the DOE Chief Financial Officer (CFO) on how delinquent receivables should be\nreferred to the Attorney General and (2) direct Livermore to fully implement the DOE debt\ncollection strategy. Oakland stated that it would explore alternative collection approaches with\nDOE's CFO and work with Livermore.\n\nStatus\n\n        Oakland Finance personnel met with Headquarters CFO representatives in December 1998\nand reviewed a proposed draft policy paper. The policy paper had not been issued pending\ncompletion of discussions with the Department of Justice. Oakland will advise Livermore of\nactions to be taken when guidance is received from the CFO.\n\n        The OIG contacted the DOE CFO's Office of Financial Policy, which stated that\nunresolved interagency claims should be referred through the DOE CFO to the Attorney General\nfor resolution. The CFO agreed to assist Field CFOs in their collection efforts.\n\n\n\n\n                                               5\n\x0c                                                                    IG Report No. WR-FS-99-04\n\n                              CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers' requirements,\nand therefore ask that you consider sharing your thoughts with us. On the back of this form, you\nmay suggest improvements to enhance the effectiveness of future reports. Please include answers\nto the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures\n   of the audit or inspection would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been\n   included in this report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report's overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any\nquestions about your comments.\n\n\nName_________________________                     Date __________________________\n\nTelephone______________________                   Organization____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                               Department of Energy\n                               Washington, D.C. 20585\n                               ATTN.: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector\nGeneral, please contact Wilma Slaughter at (202) 586-1924.\n\x0c"